Brexit and GDPR, the Nightmares Continue

We examine what the latest Brexit developments mean for your GDPR compliance

Two of 2018’s biggest news topics were the introduction of GDPR and the apparently never ending Brexit saga. You might be forgiven for rolling your eyes, as it seems that pretty much everyone in the country has had enough of both of these stories.

The latest developments in the Brexit saga now have new implications for GDPR and your compliance. GDPR came into force on the 25th of May last year and required all companies to bolster their existing data management processes with the aim of improving the rights for EU citizens whose data was held by third parties. As the 25th of May passed the UK was still a fully functioning member of the EU but it now looks increasingly likely that the UK will leave the EU in a, dreaded by some, ‘no deal’ scenario. If the UK does leave without a deal there could be dramatic ramifications for anyone who deals with partners on the continent.

The 29th of March 2019 has been repeatedly confirmed as the deadline for an initial Brexit deal, subject to potential transition periods which are yet to be confirmed. If the deadline is reached and no agreement has been found between the UK and the 27 EU member states interaction between UK based companies and partners or subsidiaries in the EU will have to change.

In that scenario the UK would then be considered a ‘third country’ and as a result EU organisations will have to be able to demonstrate that transfers to and from UK companies comply with their internal GDPR regulations. You might be thinking we comply now so surely we will comply even if we leave the EU. Don’t be so sure.

The UK government have already taken precautionary steps by releasing guidance around Data Protection if the UK chooses to leave with ‘no deal’. The guidance outlines planning requirements and the government’s approach to preparing the UK for this potential outcome and can be found here.

In the event of a ‘no deal’ exit the EU will have to make a decision on whether the UK can be awarded ‘adequacy status’. This would require the UK to demonstrate that its existing data protection laws are adequate and that companies within the UK are safe and suitably regulated to manage and process EU citizen’s data. If the UK passed the rigorous testing the EU commission would be able to make an adequacy decision and if successful personal data would be able to be transferred without further restriction. This would require vigorous investigation of the current legislation in place within the UK, in the form of the Data Protection Act 2018. The UK government have applied for a decision to be made in advance of any potential exit but the EU have decided they are not able to make any deliberations in advance and must wait until official confirmation of the UK becoming a third country.

No dramatic changes would be required to companies’ data regulation polices if the UK was awarded advocacy status, although any award is not guaranteed. Some analysts fear the EU might want to examine various factors in more detail before granting adequacy, including the controversial Investigatory Powers Act 2016. The Investigatory Powers Act 2016 has already been criticised by the European Court of Human Rights for giving the UK’s security and intelligence services too much access to private data which could potentially conflict with an individual citizen’s privacy.

Without advocacy status the UK, and companies within its territories, would be subject to further requirements and stipulations when interacting with an EU citizen’s data. The UK government appear to have already tried to alleviate fears when it comes to data transfer from the UK to the EU with the following statement.

“In recognition of the unprecedented degree of alignment between the UK and EU’s data protection regimes, the UK would at the point of exit continue to allow the free flow of personal data from the UK to the EU.”

The main area of concern for business would be the legitimacy of transferring data from the EU to the UK. There is no guarantee the EU will allow existing arrangements to continue in the event of a ‘no deal’ Brexit. There are also other areas which could be impacted by such an scenario. The EU-US Shield, an agreement in place to provide companies on both sides of the Atlantic with the mechanisms to comply with data protection requirements when transferring personal data, only applies to members of the EU. After a ‘no deal’ Brexit the UK would not be covered by any such agreements and new provisions might have to be arranged.

With the final outcome of Brexit still unclear no-one is sure whether UK based companies will need to make any changes to continue to share data with their partners based within the EU. For the meantime ensuring that data policies are as robust as possible, complying with current EU GDPR regulation and the UK’s own regulations is vital. In preparation for any potential outcome companies should ensure that data policies are meticulously recorded so that any changes can be made if and when required.